CTAB call of August 25, 2020 


  • David Bantz, University of Alaska, Chair
  • Brett Bieber, University of Nebraska
  • Tom Barton, 
  • Rachana Ananthakrishnan, Globus, University of Chicago   
  • Richard Frovarp, North Dakota State
  • Pål Axelsson, SUNET
  • Eric Goodman, UCOP - TAC Representative to CTAB
  • Chris Whalen, Research Data and Communication Technologies
  • John Pfeifer, University of Maryland  
  • Robert Zybeck, Portland Community College
  • Jon Miner, University of Wisc - Madison
  • Marc Wallman, North Dakota State University , InCommon Steering Rep, ex-officio 


  • Kevin Morooney, Internet2
  • Ann West, Internet2
  • Albert Wu, Internet2
  • Emily EIsbruch, Internet2
  • Johnny Lasker, Internet2


    • Chris Hable, University of Michigan

    • Ercan Elibol, Florida Polytech Institute

    • Jule Ziegler,  Leibniz Supercomputing Centre

    • Mary Catherine Martinez, InnoSoft (vice chair)


Welcome Johnny Lasker, Internet2, a new member of Nic Roy’s InCommon Operations team

    • Johnny will be working on Baseline Expectations implementation

Final review of Baseline Expectations v2  and BE implementation guide 

      For BE V2 Main document:

    • Formatting questions around bullets 
         Decision:  nested bullets help with clarity
      Security statements under generally accepted security practice statement

     For BE v2 Implementation Guide

      • As discussed  at last call:  For the secure endpoints Baseline Expectation,  “Must or Shall” instead of “should” meet score of A on SSL Labs
      • Noted that SSL labs changes the criteria for an A
      • What is the timeframe for meeting A when SSL labs makes a change? 
      • If a broad exception becomes warranted, we can make up a process to accept a “B” for a period of time
      • EricG spoke with colleagues, most UC campuses can handle exception cases on machine by machine basis, can configure networking to allow for some IPs and not others, there is a  big tech support commitment if we are going to talk to institutions running the TLS needed for possible exceptions
      • Tools
        • OWASP guidance: Suggestion to remove or relocate in the document  
        • OWASP TLS cheat sheets are a helpful resource
        • Move to 2nd paragraph, for additional info
        • Can also add OWASP as a footnote

        • QUALYS SSL Labs is promising,  but there is some chance InCommon operations will need to use a different tool for testing
        • If InCommon can’t use QUALYS SSL Labs, it will be necessary to do some mapping of the requirement to another tool's results
        • Text does not have to describe exactly what the Federation Operator (Internet2) will do
        • InCommon operations checking for SSL lab grade will need to be async

      • 90 day remediation period  
        • Questions about dispute resolution process and 90 day remediation period
          • Changed 90 day period in some places  to “mutually agreeable plan and  timeframe”  in the implementation document
        • Question: Is this 90 days outside of the 90 days in the dispute resolution process?  https://www.incommon.org/federation/dispute-resolution
        • Answer: yes, the 90 days in the BEv2 implementation document  is outside of the 90 days in the dispute resolution process 
        • Albert: every time SSL Labs changes the grading criteria, it will potentially invalidate all previous testing scores
        • We don’t want a big chunk of the federation participants in “dispute resolution” whenever there is an SSL Labs grading change

      • Next Steps
        • Hope to announce BEv2 at Base CAMP, Nov 16, 2020
        • To provide enough time for consultation and InCommon steering voting, we need to publish these in one week.
        • Decision:  hold an extra CTAB meeting in one week, on Tuesday, Sept. 1, to get thru the rest of this document 

Not discussed on this CTAB call due to lack of time

      • BE Implementation Project Plan
      • BE Impact statement (for Steering)
      • Communicating with community - signal end of consensus process
      • BE outreach team - should we have one? 

Upcoming CTAB calls

  • Additional CTAB Call to finish work on Baseline Expectations v2 implementation guide document :
    • Tuesday, September 1, 2020

  • Next regularly scheduled CTAB Call:
    • Tuesday, September 8, 2020


  • No labels